Adobe releases third security update this month for Flash Player

Latest advisory assigns top priority rating to Windows and Mac users.

Adobe has released an emergency security update for its widely used Flash media player to patch a vulnerability being actively exploited on the Internet. The company is advising Windows and Mac users to install it in the next 72 hours.

An advisory the software company issued on Tuesday said only that affected Flash flaws "are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." It identified the bugs as CVE-2013-0643 and CVE-2013-0648 as indexed in the common vulnerabilities and exposures database. The advisory added the exploits targeted the Firefox browser. A spokeswoman said no other attack details are available.

Adobe's advisory assigns a priority rating of 1 to Flash versions that run on Microsoft Windows or Mac OS X computers. The rating is reserved for "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The priority for Linux users carries a rating of 3, which is used to designate "vulnerabilities in a product that has historically not been a target for attackers."

Recent versions of Flash are equipped to receive and install updates automatically, but there can sometimes be a delay before the mechanism is triggered. Those who don't want to wait can download the updates here.

58 Reader Comments

I know everyone's bashing on how frequently Adobe is updating Flash (and rightfully so, for the most part), but at least they are releasing frequent updates? I much prefer this to the dragging-their-feet style update style they could also pursue if they were so inclined.

We have the perfect comparison in Oracle. Their approach is to drag their feet until their shoes come off then issue a fix. Doesn't seem to be doing them any favours in the press either, it's almost as if the only companies that aren't taking a bashing are the ones making software that doesn't contain an endless supply of easily discovered security flaws.

Are you freaking kidding me? I've had to update over 200 laptops this past week TWICE and NOW I've got to do it again (I know, crying in my beer).

Was Jobs right or was he RIGHT!?!

If you have 200 machines, you should be backed by a WSUS server, along with Local Update Publisher to push out updates to things like Flash and Java. Your life will be easier.

Or if you don't want to do that, turn on the autoupdater for Flash.

The problem with auto-updater for Flash is that it sometimes requires user intervention -- last time it popped up on my computer when I clicked on "Download" button it opened a web browser asking me to download and install the update manually instead of doing the usual downloading and installing by itself.

Flash and Java are the worst nightmares of any sysadmin.

Recently in my company I had to troubleshoot a problem with a computer that ran out of space on system drive. I checked it out and it was clean (no viruses or rootkits) and nobody installed anything to it which would account for wasted space. After checking the usual suspects such as temp folders, recycle bins, and system restore I had to resort to using Total Commander to check the sizes of all folders in user profile and then I found the culprit -- it was Java!

It was used as a video player for some website and it cached no less than 16 GB of videos locally in some random folder. An hour of my life wasted solving a problem with software (Java) which shouldn't even be installed on that computer because it is not needed for everyday work.

If you don't want to waste time updating and taking care of that crap my suggestion is to ban Flash and Java in your organization everywhere except where they are really needed (such as for e-banking sites or on development machines).

Uh, you're thinking of Java. The Flash updater doesn't have adware. Only the initial download does that...

You must already have the Google Toolbar installed, and Chrome as your default browser.

Overlooking — and so, failing to opt out of — that checkmark a couple of versions back cost me a few hours of repair, as it hosed my registry. Frequent updates are NOT a benefit when they accompany that type of risk. Likely causes more users more grief than the actual malware lurking in Russian websites.

The Flash updater doesn't have any adware. I also use neither Chrome or Google Toolbar. Only if you go to Adobe's site and attempt to download Flash are you presented with a checked box for a McAfee thing. So I'm left wondering what the hell you downloaded.

Uh, you're thinking of Java. The Flash updater doesn't have adware. Only the initial download does that...

Yes, which is selected by default, so a new user, or a simple brainfart, and you're now installing whatever it comes with, so yes, I say that's more adware than not.

As for the auto-update option, it doesn't always work. I even do a flash test, showing the current version and the installed version and when they differ, the auto-update still doesn't kick in. It should. Sometimes it does after I reboot, but usually nothing happens (maybe it's really delayed). I think auto-update should just be a silent update that happens without any user involvement - hence the "auto" part.

It is silent, except for major updates (which was fucking stupid of Adobe). If you look in your Task Scheduler, you'll see a task that launches every hour to check for updates and install them if there are, or turn off until the next check if they're aren't. Sometimes, the update is fully propagated to all corners of the world after the update announcement goes out.

The Flash autoupdater runs as a service that turns on every few hours to check for an update. The end user doesn't need admin rights.

This has never quite worked for us. Incremental updates go through fine (usually), but major updates (i.e. 11.x) prompt the user and require escalated privileges.

The end result is that users end up on old, unsupported releases, despite the supposed automatic updates. A proper patch management system (e.g. one built on WSUS) is the only solution I've found that works consistently.

Admins deploying Flash Player to large groups of users are encouraged to take a look at leveraging the autoupdate service and hosting their own internal update server. This assures that your users will receive updates silently (regardless of the release type) and quickly when made available.

The Flash updater doesn't have any adware. I also use neither Chrome or Google Toolbar. Only if you go to Adobe's site and attempt to download Flash are you presented with a checked box for a McAfee thing. So I'm left wondering what the hell you downloaded.

I have my Flash updater set to require my active permission before it attempts an upgrade. When I booted up (Monday? yesterday?) morning, I was presented with an alert asking whether to upgrade (as expected) with an option to install Chrome & make it my default, pre-checked. I've been seeing several of these, so in addition to being certain I saw it this week, I'm also pretty sure I have seen those same gotcha-ready options a couple of times before, too.

If you're with Adobe, and want to assert that there are no circumstances in which the updater will propose downloading Chrome, go ahead and assert as much. Otherwise, you're contradicting my experience with exactly zero evidence. You didn't see it? Fine.

The Flash updater doesn't have any adware. I also use neither Chrome or Google Toolbar. Only if you go to Adobe's site and attempt to download Flash are you presented with a checked box for a McAfee thing. So I'm left wondering what the hell you downloaded.

I have my Flash updater set to require my active permission before it attempts an upgrade. When I booted up (Monday? yesterday?) morning, I was presented with an alert asking whether to upgrade (as expected) with an option to install Chrome & make it my default, pre-checked. I've been seeing several of these, so in addition to being certain I saw it this week, I'm also pretty sure I have seen those same gotcha-ready options a couple of times before, too.

If you're with Adobe, and want to assert that there are no circumstances in which the updater will propose downloading Chrome, go ahead and assert as much. Otherwise, you're contradicting my experience with exactly zero evidence. You didn't see it? Fine.

Major scheduled updates, like the one made available on 2/12, will go through the web page and do have the "opt out" checkbox. Zero day security fixes and minor updates can be delivered silently (depending on your update preference). Here's how it works:

Admins deploying Flash Player to large groups of users are encouraged to take a look at leveraging the autoupdate service and hosting their own internal update server. This assures that your users will receive updates silently (regardless of the release type) and quickly when made available.

If they're going to go to that much trouble, they might as well just deploy the updates through WSUS. There are plenty of methods for doing so (I prefer SolarWinds Patch Manager). It would be a whole lot more maintainable than running two independent update servers.

If they're going to go to that much trouble, they might as well just deploy the updates through WSUS. There are plenty of methods for doing so (I prefer SolarWinds Patch Manager). It would be a whole lot more maintainable than running two independent update servers.

That might be true, I don't have any experience with WSUS. I was just trying to illustrate how someone can, for minimal cost, leverage Flash's built-in auto update mechanism. They can push builds internally without having to deal with unwanted UI and software, user account levels, or being logged in at all. It's also a cross platform solution for organizations that have OS X machines too.